1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Compromised Router with Hacked PPTP VPN User

Discussion in 'Asuswrt-Merlin' started by 857pt, Jan 13, 2020.

  1. 857pt

    857pt New Around Here

    Joined:
    Jan 13, 2020
    Messages:
    2
    I just noticed today that a PPTP VPN Server was running on my router along with a hacked Username i8661053. Concerned, I checked my logs and found multiple instances of this user attempting to access the VPN unsuccessfully. The IP addresses appears to be coming from Russia (92.63.194.85), and China (60.191.52.254).

    I updated my firmware to Merlin RT-AC68U_384.14_2 on Jan 2 just as a frame of reference. I did run a shasum -a 256 from the OSX command line to verify the checksum before updating the firmware. Before that I was running a firmware version that dated back to July 2018 , RT-AC68U_384.6. (Yes, I’m a dumbass for not updating more frequently)

    My logs are odd - There is a bunch of activity starting on Jan 2, and entries are populated for every day since. However, before Jan 2 the previous log entries are May 5 ( just on may 5th). I don’t remember cleaning my logs, but I very easily may have purged my logs when I updated the firmware last week.

    The first mention of pptp in the logs starts on Jan 4.

    Code:
    Jan  4 01:08:04 pptpd[29125]: CTRL: Client 92.63.194.81 control connection started
    Jan  4 01:08:04 pptpd[29125]: CTRL: Starting call (launching pppd, opening GRE)
    Jan  4 01:08:04 pptp[29126]: Plugin pptp.so loaded.
    Jan  4 01:08:04 pptp[29126]: PPTP plugin version 0.8.5 compiled for pppd-2.4.7, linux-2.6.36.4
    Jan  4 01:08:04 pptp[29126]: pppd 2.4.7 started by admin, uid 0
    Jan  4 01:08:04 pptp[29126]: Using interface pptp0
    Jan  4 01:08:04 pptp[29126]: Connect: pptp0 <--> pptp (92.63.194.81)
    Jan  4 01:08:08 pptp[29126]: No CHAP secret found for authenticating user
    Jan  4 01:08:08 pptp[29126]: Peer user failed CHAP authentication
    Jan  4 01:08:08 pptpd[29125]: CTRL: EOF or bad error reading ctrl packet length.
    Jan  4 01:08:08 pptpd[29125]: CTRL: couldn't read packet header (exit)
    Jan  4 01:08:08 pptpd[29125]: CTRL: CTRL read failed
    Jan  4 01:08:08 pptpd[29125]: CTRL: Client pppd TERM sending
    Jan  4 01:08:08 pptpd[29125]: CTRL: Client pppd finish wait
    Jan  4 01:08:08 pptp[29126]: Terminating on signal 15
    Jan  4 01:08:08 pptpd[29139]: CTRL: Client 92.63.194.82 control connection started
    Jan  4 01:08:08 pptpd[29139]: CTRL: Starting call (launching pppd, opening GRE)
    Jan  4 01:08:08 pptp[29141]: Plugin pptp.so loaded.
    Jan  4 01:08:08 pptp[29141]: PPTP plugin version 0.8.5 compiled for pppd-2.4.7, linux-2.6.36.4
    Jan  4 01:08:08 pptp[29141]: pppd 2.4.7 started by admin, uid 0
    Jan  4 01:08:08 pptp[29141]: Couldn't allocate PPP unit 10 as it is already in use
    Jan  4 01:08:08 pptp[29141]: Using interface pptp1
    Jan  4 01:08:08 pptp[29141]: Connect: pptp1 <--> pptp (92.63.194.82)
    Jan  4 01:08:09 pptp[29141]: appear to have received our own echo-reply!
    Jan  4 01:08:09 pptp[29141]: No CHAP secret found for authenticating vpn
    Jan  4 01:08:09 pptp[29141]: Peer vpn failed CHAP authentication
    Jan  4 01:08:09 pptpd[29139]: CTRL: EOF or bad error reading ctrl packet length.
    Jan  4 01:08:09 pptpd[29139]: CTRL: couldn't read packet header (exit)
    Jan  4 01:08:09 pptpd[29139]: CTRL: CTRL read failed
    Jan  4 01:08:09 pptpd[29139]: CTRL: Client pppd TERM sending
    Jan  4 01:08:09 pptpd[29139]: CTRL: Client pppd finish wait
    Jan  4 01:08:09 pptp[29141]: Terminating on signal 15
    Jan  4 01:08:09 pptpd[29153]: CTRL: Client 92.63.194.83 control connection started
    Jan  4 01:08:10 pptpd[29153]: CTRL: Starting call (launching pppd, opening GRE)
    Jan  4 01:08:10 pptp[29154]: Plugin pptp.so loaded.
    Jan  4 01:08:10 pptp[29154]: PPTP plugin version 0.8.5 compiled for pppd-2.4.7, linux-2.6.36.4
    Jan  4 01:08:10 pptp[29154]: pppd 2.4.7 started by admin, uid 0
    Jan  4 01:08:10 pptp[29154]: Couldn't allocate PPP unit 10 as it is already in use
    Jan  4 01:08:10 pptp[29154]: Couldn't allocate PPP unit 11 as it is already in use
    Jan  4 01:08:10 pptp[29154]: Using interface pptp2
    Jan  4 01:08:10 pptp[29154]: Connect: pptp2 <--> pptp (92.63.194.83)
    Jan  4 01:08:10 pptp[29154]: appear to have received our own echo-reply!
    Jan  4 01:08:10 pptp[29154]: No CHAP secret found for authenticating Admin
    Jan  4 01:08:10 pptp[29154]: Peer Admin failed CHAP authentication
    Jan  4 01:08:10 pptpd[29153]: CTRL: EOF or bad error reading ctrl packet length.
    Jan  4 01:08:10 pptpd[29153]: CTRL: couldn't read packet header (exit)
    Jan  4 01:08:10 pptpd[29153]: CTRL: CTRL read failed
    Jan  4 01:08:10 pptpd[29153]: CTRL: Client pppd TERM sending
    Jan  4 01:08:10 pptpd[29153]: CTRL: Client pppd finish wait
    Jan  4 01:08:10 pptp[29154]: Terminating on signal 15
    Jan  4 01:08:12 pptpd[29165]: CTRL: Client 92.63.194.85 control connection started
    Jan  4 01:08:12 pptpd[29165]: CTRL: Starting call (launching pppd, opening GRE)
    Jan  4 01:08:12 pptp[29166]: Plugin pptp.so loaded.
    Jan  4 01:08:12 pptp[29166]: PPTP plugin version 0.8.5 compiled for pppd-2.4.7, linux-2.6.36.4
    Jan  4 01:08:12 pptp[29166]: pppd 2.4.7 started by admin, uid 0
    Jan  4 01:08:12 pptp[29166]: Couldn't allocate PPP unit 10 as it is already in use
    Jan  4 01:08:12 pptp[29166]: Couldn't allocate PPP unit 11 as it is already in use
    Jan  4 01:08:12 pptp[29166]: Couldn't allocate PPP unit 12 as it is already in use
    Jan  4 01:08:12 pptp[29166]: Using interface pptp3
    Jan  4 01:08:12 pptp[29166]: Connect: pptp3 <--> pptp (92.63.194.85)
    Jan  4 01:08:12 pptp[29166]: appear to have received our own echo-reply!
    Jan  4 01:08:12 pptp[29166]: No CHAP secret found for authenticating 11
    Jan  4 01:08:12 pptp[29166]: Peer 11 failed CHAP authentication
    Jan  4 01:08:12 pptpd[29165]: CTRL: EOF or bad error reading ctrl packet length.
    Jan  4 01:08:12 pptpd[29165]: CTRL: couldn't read packet header (exit)
    Jan  4 01:08:12 pptpd[29165]: CTRL: CTRL read failed
    Jan  4 01:08:12 pptpd[29165]: CTRL: Client pppd TERM sending
    Jan  4 01:08:12 pptpd[29165]: CTRL: Client pppd finish wait
    Jan  4 01:08:12 pptp[29166]: Terminating on signal 15
    Jan  4 01:08:13 pptpd[29178]: CTRL: Client 92.63.194.31 control connection started
    Jan  4 01:08:13 pptpd[29178]: CTRL: Starting call (launching pppd, opening GRE)
    Jan  4 01:08:13 pptp[29179]: Plugin pptp.so loaded.
    Jan  4 01:08:13 pptp[29179]: PPTP plugin version 0.8.5 compiled for pppd-2.4.7, linux-2.6.36.4
    Jan  4 01:08:13 pptp[29179]: pppd 2.4.7 started by admin, uid 0
    Jan  4 01:08:13 pptp[29179]: Couldn't allocate PPP unit 10 as it is already in use
    Jan  4 01:08:13 pptp[29179]: Couldn't allocate PPP unit 11 as it is already in use
    Jan  4 01:08:13 pptp[29179]: Couldn't allocate PPP unit 12 as it is already in use
    Jan  4 01:08:13 pptp[29179]: Couldn't allocate PPP unit 13 as it is already in use
    Jan  4 01:08:13 pptp[29179]: Using interface pptp4
    Jan  4 01:08:13 pptp[29179]: Connect: pptp4 <--> pptp (92.63.194.31)
    etc..
    
    If I’m reading that correctly, it doesn’t appear the hacker was able to connect. I’m not sure why.

    Multiple attempts were made on Jan 4 and at least one attempt has been made every day since.

    This is the only mention in the logs of the Chinese IP address on Jan 6th

    Code:
    Jan  6 15:20:34 pptpd[576]: MGR: dropped small initial connection
    Jan  6 15:20:34 pptpd[29664]: CTRL: Client 60.191.52.254 control connection started
    Jan  6 15:20:34 pptpd[29664]: CTRL: EOF or bad error reading ctrl packet length.
    Jan  6 15:20:34 pptpd[29664]: CTRL: couldn't read packet header (exit)
    Jan  6 15:20:34 pptpd[29664]: CTRL: CTRL read failed
    Jan  6 15:20:34 pptpd[29664]: CTRL: Client 60.191.52.254 control connection finished
    
    What doesn’t make sense:
    1. My default language was never changed from English
    2. AiCloud 2.0 services are all disabled
    3. Administration>System>Enable Web Access from WAN is disabled (and has been for a long time)
    4. I don’t use any apps that connect to my router
    5. I do use OpenVPN, but only to connect to my network from my iPhone
    6. SSH is disabled
    What is interesting:
    1. Router Login Name is admin and no password is set, I did have a password set at one time
    2. My credit card has been hacked from online purchases four times in the past year. I suspected MacOS at first, but couldn’t find any viruses or malware. Could my router be the source and, if so, how can a compromised router obtain credit card information?
    3. I have noticed that some specific websites are redirecting safari to fake Adobe Flash Player update malware sites. The issue seems to have stopped since I updated my router firmware on Jan 2nd. Could this also be caused by a compromised router?
    I did save the JFFS backup. Is it worth uploading that to this forum? (Assuming someone here is able and willing to pick t through it and see what was done).

    At this point I’m going to format JFFS, reset the router to factory default and re-flash the latest version of Merlin. I’m really posting this to just to understand:
    1. How did this happen? I’m aware of similar hacks posted about in the past year - is this now a known vulnerability that has since been patched?
    2. Is the firmware itself infected with the fake VPN accounts?
    3. Is there any way to determine if the hacker accessed anything else in my network?
     
  2. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    986
    A few things:

    1. The May date in the logs is likely just log messages on initial boot before the ntp server kicked in.
    2. I don't know if the behavior in PPTP is the same as OpenVPN, but if the only credentials needed are user name/password, then your admin user can login. Since you use OpenVPN, immediately change the name of your admin and add a password. URGENTLY. If you don't make that a hard password combo, then exclude that user from the ability to login. Also, make sure you also require certificates to login. Then, also, turn off the PPTP server. You aren't using it.
    3. I don't know a lot about PPTP, but it didn't look like the attempts were successful. But if you think you are targeted intentionally, then harden your setup. All of us are targeted randomly.
    4. PPTP is considered insecure. Never paid it enough attention beyond that to understand.
     
  3. 857pt

    857pt New Around Here

    Joined:
    Jan 13, 2020
    Messages:
    2
    2. I have since wiped the router with a factory reset and JFFS format. I created a new user and difficult password for administration. I don't think the router admin user can log in with OpenVPN, however I do have ovpn disabled for now.

    3. I think it was random, probably a script. I don't know how they got in though - they had to have gained access at least once to create the VPN user. I reinstalled the latest stable Merlin release and the PPTP VPN server was disabled with no users - so it wasn't included with the firmware update.

     
  4. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    986
    This is the thing, if you allow authentication by user/password only for OpenVPN (without a certificate), and you create complicated user/password combinations but have something stupid for the router, like admin/1234, then admin/1234 can login to OpenVPN server, too.

    I think this is a big and underappreciated hole.
     
  5. kernol

    kernol Senior Member

    Joined:
    Feb 24, 2018
    Messages:
    278
    Location:
    South Africa
    I strongly suggest you add both Diversion and Skynet to your router - will help tighten things up going forwards.
    Start with amtm and a USB flash drive ... here https://www.snbforums.com/threads/amtm-the-snbforum-asuswrt-merlin-terminal-menu.42415/
     
  6. mike37

    mike37 Occasional Visitor

    Joined:
    Mar 17, 2014
    Messages:
    22
    This is scary; thanks for posting!!

    ISTM this could be an inside job. Suggest you consider rebuilding the desktop as well as the router. At least check Safari for any strange addons (happened to a friend recently).

    (Random Misc:
    -Is(are) your LAN stuff up to date?
    -IIUC, Safari has had some issues and a hack would explain the credit card compromise; changing the router configuration would be easy from there.
    - FWIW, In the old days I'd use OVPN to connect on an oddball port (after using a "portknock" to "unstealth" the hidden port.) OVPN can be configured to allow LAN as well as WAN access, so check to see if OVPN can access LAN.)

    Sigh!...At any rate I'd keep a very close eye on things for a while. Please keep us posted.
     
  7. Adamm

    Adamm Part of the Furniture

    Joined:
    Mar 26, 2013
    Messages:
    2,522
    This was a known exploit a few months back which mitigation's were put in place within Skynet for. I do suggest a full factory reset first before proceeding further. Morale of the story, always keep your firmware up to date.
     
    QuikSilver and skeal like this.